Operational Risk

Most businesses, most boards, don’t spend a lot of time thinking about uncertainty. In fact, they are terrified of doing so.
The quote is from a good article in Strategic Risk Global about the value of risk management and why many risk managers can’t seem to make a difference in the perception of what they do for the organisation.
[T]o create a more effective relationship between the risk function and the board, risk managers must stand up and show their bosses that they are not mere insurance buyers, as some senior leaders perceive them to be.

It could be just me, but every time there’s a need to present a complex topic to the executives or business leadership (topic for another musing, methinks) I get the typical looks of “oh no, he’s going to get all lectury again”. And it’s true, I prefer to present complex topics as complex, even if the style of presentation makes them approachable. There’s no way to dumb down something that’s complex without:
also sending the message that sure, they may be leaders of the organisation, people that we entrust to make the right decisions, etc.

I’m reading up on contemporary intelligence as part of my grad course and came across these six intelligence values. So far all I’ve read on intelligence reads very true to information risk management and often risk management as a whole.
Have a read, see if the values for intelligence don’t marry neatly with risk management values:
Accuracy: All sources and data must be evaluated for the possibility of technical error, misperception, and hostile efforts to mislead. Objectivity: All judgments must be evaluated for the possibility of deliberate distortions and manipulations due to self-interest.

So we have
A person, believed to be a man, entered the “sterile” area of the terminal at about 9:30am today via the exit doors from the baggage collection area.
…
[T]he man was spotted on closed circuit TV entering through the exit but security staff watching monitors lost track of him once inside the terminal. Thousands of people are now being cleared out of the terminal to be rescreened by security.
…
The breach exposes a gap in the terminal’s security for which Qantas is responsible, as there is no security officers permanently stationed at the “out” doors to watch passenger movements.

What this means is organizations need to be thinking of security as spanning all attack vectors at the same time. It is imperative that organizations protect critical applications against both traditional attack vectors as well as those at the application layer disguised as legitimate requests. Organizations need to evaluate their security posture and ensure that every infrastructure component through which a request flows can handle the load in the event of a massive “3DoS”. It’s not enough to ensure that there’s capacity in the application infrastructure if an upstream network component may buckle under the load.

As it happens I was asked to weigh in on a pressing matter. They’re all pressing, always pressing and urgent and require immediate response by the time they come to me. Risk management is involved in major decisions, see. Mostly it’s a CYA policy, but we’ll get to that some other time.Pressing matter: is Technology A that “solves” Imaginary Problem 1 money better spent than Technology B that also solves that problem and has a bonus of being virtualised?
When queried about budgets I was told there’s plenty for the boxes, support contract and licenses.